Overview
Deliverability is the probability that mail you send actually reaches the recipient's inbox rather than the spam folder or being silently dropped. It depends on four things: authentication records, network configuration, IP reputation, and sending behavior. All four must be in order.
1. Authentication Records (SPF, DKIM, DMARC)
These are the baseline. If they are missing or misconfigured, large providers will filter or reject your mail regardless of content.
- SPF — auto-created when you add a domain in Opterius
- DKIM — auto-generated per-domain via the agent's
/email/setup-deliverabilityendpoint - DMARC — add manually after SPF and DKIM are confirmed working
Full setup instructions: SPF, DKIM, and DMARC
2. Port 25 — Is It Actually Open?
Port 25 is the standard port for server-to-server mail delivery. Many VPS and cloud providers block outbound port 25 by default to prevent abuse from compromised instances.
Providers known to block port 25 by default:
| Provider | Default | How to unblock |
|---|---|---|
| DigitalOcean | Blocked | Submit a support request; approval is not guaranteed for new accounts |
| AWS EC2 | Blocked | Submit a support request via AWS Console → Service Quotas |
| Linode (Akamai) | Blocked on new accounts | Contact support with a brief explanation of your use case |
| Vultr | Blocked | Submit a support request |
| Hetzner | Generally open | Check the Hetzner Cloud Console for network rules |
To test whether port 25 is open from your server:
telnet gmail-smtp-in.l.google.com 25
If the connection hangs or is refused, outbound port 25 is blocked at the network level, and you need to contact your provider. This is not fixable in Postfix configuration.
[!IMPORTANT] Using port 587 (submission) for outbound to other servers does not solve this. Port 587 is for client-to-server submission only. Server-to-server delivery always uses port 25.
3. PTR / rDNS Record
A PTR (reverse DNS) record maps your server's IP address back to a hostname. Receiving mail servers check this during the SMTP connection. If your IP has no PTR record, or if the PTR does not match your server's myhostname in Postfix, many servers will reject or downgrade your mail.
What it should look like
If your server's hostname is mail.yourdomain.com and its IP is 203.0.113.10:
10.113.0.203.in-addr.arpa. IN PTR mail.yourdomain.com.
And mail.yourdomain.com should have an A record pointing back to 203.0.113.10 (forward-confirmed rDNS).
How to set it
PTR records are set by whoever controls the IP allocation — your VPS provider, not your DNS registrar or PowerDNS.
- DigitalOcean — set the droplet's hostname to your desired PTR hostname; DigitalOcean sets the PTR to match
- Linode/Akamai — set via Linode Cloud Manager → Linodes → Networking → Reverse DNS
- Hetzner — set via Hetzner Cloud Console → Server → Networking → Set PTR
- AWS — submit a reverse DNS request via AWS support
Verify
dig -x YOUR_SERVER_IP +short
The response should return your server's hostname.
4. IP Reputation
Your server's IP address has a reputation that accumulates over time. A new IP starts neutral. Spam complaints, high bounce rates, and presence on blacklists degrade it.
To build a good reputation from a new IP:
- Start with low sending volume and ramp up gradually
- Only send to addresses you have confirmed opt-ins for
- Handle bounces — remove hard-bounce addresses immediately
- Monitor complaint rates — if recipients are marking your mail as spam, stop sending to them
Shared IP vs. Dedicated IP
If your server IP was previously used by someone else (e.g. a recycled VPS), it may already be on blacklists. Check before sending:
# Check a single IP against common blacklists
curl "https://api.mxtoolbox.com/api/v1/Lookup/blacklist/?argument=YOUR_IP"
Or use MXToolbox Blacklist Check directly.
5. Blacklist Monitoring
Once your server is sending mail, monitor the main blacklists regularly.
Key blacklists that affect deliverability:
| List | Impact |
|---|---|
| Spamhaus ZEN (SBL, XBL, PBL) | Very high — used by most major providers |
| Barracuda BRBL | High — used by corporate mail gateways |
| SORBS | Moderate |
| SpamCop | Moderate |
If your IP is listed:
- Identify why — most blacklists provide a lookup page that explains the reason
- Fix the underlying cause (compromised account, misconfigured server, open relay)
- Submit a delisting request through the blacklist's process
[!NOTE] Some lists (particularly Spamhaus PBL) list IP ranges that VPS providers own as "not intended for outbound mail." This is common with residential and VPS IP blocks. The fix is to get your provider to move your IP off the PBL range, or to verify your IP using Spamhaus's self-service delisting for PBL listings.
6. What to Check When Mail Is Being Rejected
Work through this checklist in order:
[ ] Port 25 is open (test with telnet)
[ ] PTR record is set and matches Postfix myhostname
[ ] SPF record exists and includes your server's IP
[ ] DKIM signature is present and validates (check mail headers)
[ ] DMARC record exists (even p=none)
[ ] IP is not on Spamhaus ZEN or Barracuda
[ ] Postfix is not an open relay (test at mxtoolbox.com/diagnostic.aspx)
[ ] No malware or compromised accounts sending spam from your server
To check Postfix mail logs for delivery errors:
tail -f /var/log/maillog
Or filter for a specific domain:
grep "yourdomain.com" /var/log/maillog | tail -50